remediating cics user’s experience · racf basic and advanced training at vanguard security...
TRANSCRIPT
VANGUARD SECURITY & COMPLIANCE 2016
Sherry Courtney
Duke Energy
BTB2
Remediating CICS User’s Experience
SECURITY & COMPLIANCE CONFERENCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: zSecure Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others.
VANGUARD SECURITY & COMPLIANCE 2016
Session Abstract
Has your company recently merged with another company? Have you recently converted to RACF® from ACF2 or Top Secret? Are you new to an organization that hasn't cleaned up the RACF database in years? Are you now being tasked
with remediating RACF/CICS® security. This class is designed to show you where to begin. What to expect. Considerations for determine if you need to build profiles from scratch or remediate existing profiles. How to capture SMF data without blowing up SMF. Do's and Don'ts for remediating.
VANGUARD SECURITY & COMPLIANCE 2016
Instructor's Bio
With more than 40 years of experience in Information Technology and System Security Engineering, Sherry leverages her extensive knowledge base and expertise to assist with CICS security in RACF, DB2® internal security to RACF migrations, z/OS® and RACF assessments, RACF remediation projects, RACF basic and advanced training at Vanguard Security Conferences for 20+ years. Along with working as a Security Engineer, Sherry has performed numerous RACF security audits and reviews as a consultant with major audit firms. Sherry is well known in the RACF Security world and has worked as a consultant within several fortune 500 companies.
VANGUARD SECURITY & COMPLIANCE 2016
Agenda
Purpose
• RACF/CICS brief overview
–IBM® Supplied Classes
• Do you know how CICS is protected in your shop
• Locating System Initialization Parameters in Use
–XTRN
–XCMD
–XPPT
–XSFCT
–etc.
VANGUARD SECURITY & COMPLIANCE 2016
AGENDA, CON’T
• Steps for Remediation
1.System Level Transaction profiles
2.Group Class Transaction profiles
3.Member Class Transaction profiles
• Recommendations
VANGUARD SECURITY & COMPLIANCE 2016
Purpose
• Let’s assume your company has just merged
with another company and you have inherited new CICS RACF to support and you now have to do a CICS security review and have found major issues.
• How to Remediate CICS Security
VANGUARD SECURITY & COMPLIANCE 2016
Brief RACF/CICS Overview
• RACF protection for CICS
–CICS Datasets protected at the ‘region’ level
• Programs and Table Libraries
• CICS System datasets
• Application datasets
–CICS Define Resources protected at the USER level
• CSD (CICS System Definition Dataset)
• CPSM (CICSPLEX System Manager)
VANGUARD SECURITY & COMPLIANCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
VANGUARD SECURITY & COMPLIANCE 2016
How to find what RACF Classes are in use
VANGUARD SECURITY & COMPLIANCE 2016
Example of finding SYSIN from Job Log
VANGUARD SECURITY & COMPLIANCE 2016
Other Resource Class Information
VANGUARD SECURITY & COMPLIANCE 2016
Another example of System Parameters
VANGUARD SECURITY & COMPLIANCE 2016
Example of Finding SYSIN from JCL
VANGUARD SECURITY & COMPLIANCE 2016
RACF TRANSACTION CLASS
VANGUARD SECURITY & COMPLIANCE 2016
Step 1 – Defining Testing Classes
VANGUARD SECURITY & COMPLIANCE 2016
Step 2 – Remediating System Level Transactions
VANGUARD SECURITY & COMPLIANCE 2016
Findings for System Transactions
VANGUARD SECURITY & COMPLIANCE 2016
Remediating System Findings
VANGUARD SECURITY & COMPLIANCE 2016
Remediating System Transaction's Access
VANGUARD SECURITY & COMPLIANCE 2016
Using Grouping Class Profiles
VANGUARD SECURITY & COMPLIANCE 2016
Access Determinations
VANGUARD SECURITY & COMPLIANCE 2016
Step 3 – Remediating Transaction Class Profiles
VANGUARD SECURITY & COMPLIANCE 2016
Step 4 – Other Considerations
VANGUARD SECURITY & COMPLIANCE 2016
Considerations Continued
VANGUARD SECURITY & COMPLIANCE 2016
Consideration Continued
VANGUARD SECURITY & COMPLIANCE 2016
FINAL STEP
VANGUARD SECURITY & COMPLIANCE 2016
Recommendations
VANGUARD SECURITY & COMPLIANCE 2016
Reference Material
VANGUARD SECURITY & COMPLIANCE 2016
Contact Information
VANGUARD SECURITY & COMPLIANCE 2016
Thank you!
SECURITY & COMPLIANCE CONFERENCE 2016